top of page

Ohio HB 96: A Game-Changer for Public Sector Cybersecurity

  • Writer: Mansfield Tech
    Mansfield Tech
  • Oct 10
  • 5 min read

Why Ohio HB 96 Matters for IT Hardware Disposal & Resale

ree

On June 30, 2025, Ohio Governor DeWine signed House Bill 96 into law, ushering in sweeping new cybersecurity obligations for counties, cities, townships, school districts, libraries, and other political subdivisions across the state. (Bricker Graydon)


While much of the commentary has focused on incident reporting, ransomware pay-restrictions, and governance, one element that deserves more attention is how HB 96 imposes implicit supply chain and media disposition expectations that directly intersect with standards like NIST SP 800-88—especially when IT hardware is resold or auctioned via platforms like GovDeals or eBay.


Here’s how the law reshapes expectations, where NIST 800-88 fits in, and what you must watch out for when flogging retired hardware.

 

Key Provisions of HB 96 That Touch Supply Chain & Disposition

Under Ohio Revised Code § 9.64, political subdivisions must:

  1. Adopt a cybersecurity program that ensures the confidentiality, integrity, and availability of IT systems and data, “consistent with generally accepted best practices” (e.g. NIST, CIS). (Ohio Laws)

  2. Detect, respond to, and remediate cyber threats with defined procedures. (cyber.ohio.gov)

  3. Report cybersecurity incidents to the Ohio Department of Public Safety (within 7 days) and to the Auditor’s Office (within 30 days). (Ohio Laws)

  4. Restrict ransomware payments: no payment or compliance unless the legislative authority (e.g., city council, school board) passes a resolution justifying the action. (Ohio Laws)


Though HB 96 does not explicitly prescribe “sanitization techniques” or mention GovDeals/eBay, its requirement to follow “generally accepted best practices” and the state’s own administrative policies do. For example:

  • Ohio’s IT-05 policy (Disposal, Servicing, State Surplus) mandates that state agencies ensure that IT equipment is sanitized before disposal, long-term loan, or surplus transfer. (Department of Administrative Services)

  • Ohio’s IT-14 policy (Data Encryption & Related Procedures) requires that removal or destruction of confidential data on portable media align with NIST SP 800-88 standards. (Department of Administrative Services)


When you connect those dots, you see that HB 96’s cybersecurity umbrella inherently brings disposal and resale of hardware under heightened scrutiny.

 

NIST SP 800-88: The Definitive Guide for Media Sanitization

To fully appreciate the implications, let’s revisit NIST SP 800-88 (“Guidelines for Media Sanitization”) — one of the leading authoritative references for how to sanitize or dispose of data-bearing devices. (NIST CSRC)


In summary, NIST 800-88 defines three levels of sanitization:

  • Clear — Overwriting or using software-based commands to make data unreadable (adequate when media stays under trusted control)

  • Purge — More rigorous: degaussing, cryptographic erasure, or vendor-specific sanitization commands (better for more sensitive data)

  • Destroy — Physical destruction (e.g. shredding, incineration) to render recovery infeasible


The choice among clear, purge, or destroy depends on the sensitivity of the data, the risk of disclosure, and whether the media will be reused or repurposed. (NIST Publications)


NIST also emphasizes verification (i.e., proving that sanitization worked) and recordkeeping (a certificate of sanitization). (NIST Publications)


Thus, when a public entity disposes of IT hardware (especially with storage media inside), it must do so in a defensible, standards-aligned way—not ad hoc wiping or default reset.

 

Selling IT Hardware via GovDeals / eBay: What’s at Risk Under HB 96

Selling off old servers, switches, laptops, or storage systems on auction or surplus sites is a common practice. But under HB 96 + associated policies + NIST guidance, doing so without careful control can trigger serious compliance and liability risks. Here’s how:

Risk Vector

Why It Matters Under HB 96 / NIST

Mitigation / Best Practice

Residual data exposure

If hardware still contains recoverable data, that constitutes a breach of confidentiality. Under HB 96’s cyber program mandate, such exposures may count as reportable incidents.

Enforce strict sanitization (purge or destroy) before resale. Use verified tools and maintain certificates.

Chain of custody / audit trail gaps

HB 96 demands documented programs, standards, and incident accountability. If disposal is murky, auditors or regulators may object.

Maintain logs, signatures, and tracking of every device’s sanitization and handoff.

Warranty or “as-is” sales claims

Some devices might be sold “as-is,” but if buyers find recoverable sensitive data, the selling entity could face reputational or legal backlash.

Disclose clearly and ensure all media are sanitized to NIST levels.

Third-party intermediary risk

Auction platforms may change hands, import/export the device, or resell multiple times. That broadens exposure.

Use vendors or disposal firms that guarantee compliance and restrict further resale.

Mismatch between policy and practice

If the entity’s cybersecurity program (as required by HB 96) claims alignment with best practices, but disposal doesn’t follow NIST 800-88, the program’s credibility is undermined.

Audit disposal practices annually and ensure they align with your documented cyber policy.

In short: selling IT hardware online is not just a cost-recovery activity — it’s part of your cybersecurity posture.

 

Practical Recommendations for Organizations in Ohio

  1. Update internal policies: Amend your IT asset disposal and surplus policies to explicitly require NIST-style sanitization (preferably “purge” or “destroy” for storage media), plus verification and certificates.

  2. Deploy trusted wipe tools or services: Use vetted tools (e.g. vendor sanitize commands, cryptographic erase, certified destruction) and test them.

  3. Segregate sale-worthy assets: Before surplus sale, physically remove or isolate drives/media, sanitize, and then re-provision a “clean state” for sale.

  4. Use reputable resale partners with compliance guarantees: If you use GovDeals or eBay, require that the resale processes do not reintroduce liability (e.g. prohibit buyers from claiming data recovery, chain-of-custody warranties).

  5. Document everything: Capture device IDs, sanitization method, operator, time, verification result, recipient, and any chain-of-custody transfers. This documentation aligns with HB 96’s expectation of accountable cybersecurity programs.

  6. Train your people: Make sure your procurement, IT, compliance, and surplus teams understand the risks. Under HB 96, training is a core required component. (Ohio Laws)

  7. Conduct periodic audits / spot checks: Use forensic sampling on retired devices (if you still have images) to confirm no residual data. This enforces integrity of your process.

 

Final Thoughts & Call to Action

Ohio HB 96 sends a clear signal: cybersecurity must be holistic, not limited to firewalls or incident response. The lifecycle of IT assets—particularly disposal and resale—is now squarely within that umbrella. Entities that treat surplus hardware as an afterthought risk inconsistency between policy and practice.


For any Ohio-based political subdivision or school district preparing for HB 96 compliance (effective September 30, 2025) (ohioschoolboards.org), your path to defensibility must include media sanitization aligned with NIST 800-88 and robust documentation for any hardware sale.


If you like, I can draft a version of this post tailored to your specific agency (school district, county, etc.) or even prepare a “cheat sheet” that your IT / surplus team can follow. Do you want me to do that?

 
 
 

Comments

bottom of page